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The present invention has been made in consideration of thin 
devices efficiently communicating ideas and transactions 
into data networks by using other devices with fill functional 
user interface in the networks. According to one aspect of 
the present invention, the thin device exclusively controls 
the authentication of a rendezvous that is associated with a 
user account in a server. The thin device running a micro - 
browser provisions the rendezvous with a set of credential 
information in an authenticated and secure communication 
session so that the provisioning process is truly proprietary. 
To access the user account, the other devices equipped with 
well known browsers must submit the correct credential 
information to the rendezvous for verification in the server. 
Once admitted, the other devices can update managed infor- 
mation in the user account, individually and respectively, 
thereby the thin device is able to conduct desired transac- 
tions based on the managed information in the user account 
without the need to key in pertinent information of the 
transactions. 
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METHOD AND SYSTEM FOR SECURELY 
INTERACTING WITH MANAGED DATA 
FROM MULTIPLE DEVICES 

CROSS REFERENCE TO RELATED 5 
APPLICATIONS 

This application claims the benefit of U.S. Application 
No. 08/987,346, filed Dec. 9, 1997, now U.S. Patent No 
6,065,120, the content of which is hereby incorporated Q 
by reference. 

REFERENCE TO APPENDIXES 

Appendix A, which is a part of the present disclosure, is 
a microfiche appendix consisting of 2 sheets of microfiche 15 
having a total of 195 frames. The microfiche Appendix is a 
source code listing of one embodiment of the authentication 
and provisioning process in the present invention, which is 
described more completely below. 

A portion of the disclosure of this patent document 20 
contains material, that includes, but is not limited to, Appen- 
dix A and Appendix B, which is subject to copyright 
protection. The copyright owner has no objection to the 
facsimile reproduction by anyone of the patent document or 
the patent disclosure, as it appears in the Patent and Trade- 25 
mark Office patent file or records, but otherwise reserves all 
copyrights whatsoever. 


BACKGROUND OF THE INVENTION 
1. Field of Invention 

The invention relates to user authentication systems over 


30 


data network systems, and more particularly relates to a 
method and system for self-provisioning, through a first 
device, a rendezvous to ensure secure access to managed 35 
information in a user account by other devices through the 
rendezvous in a data network, wherein the rendezvous is 
generally identified by a URL, the first device, coupled to the 
data network, runs a first browser under a first communica- 
tion protocol and the other devices in the same data network 4Q 
run a second browser under a second communication pro- 
tocol. 

2. Description of the Related Art 

The Internet is a rapidly growing communication network 
of interconnected computers around the world. Together, 45 
these millions of connected computers form a vast reposi- 
tory of hyperlinked information that is readily accessible by 
any of the connected computers from anywhere and any- 
time. To provide mobility and portability of the Internet, 
wireless computing devices were introduced and are capable 50 
of communicating, via wireless data networks, with the 
computers on the Internet. With the wireless data networks, 
people, as they travel or move about, are able to perform, 
through the wireless computing devices, exactly the same 
tasks they could do with computers on the Internet 55 

The most common remote access paradigm is, as of today, 
the one in which a laptop personal computer is equipped 
with a wireless communication mechanism, for example, a 
wireless modem. This paradigm may remain useful for a 
considerable number of applications and users, but there has 60 
been a growing need for a mobile paradigm in which the 
Internet can be instantly accessed by mobile devices, such as 
cellular phones and personal digital assistants. The mobile 
devices are generally designed small in size and light in 
weight. With increasing data processing capabilities in the 65 
mobile devices, more and more users start carrying the 
devices around to materialize their unproductive time into 


productive time. As more commonly seen, regular mobile 
phones can return calls, check voice mail or make users 
thereof available for teleconferences anywhere and anytime, 
but desired mobile phones, not just reactive to calls but also 
proactive, can meld voice, data, and personal information 
with manager-like functionality into a single handset that 
can effectively, through a host computer, access a myriad of 
public and enterprise information services in the Internet. 

The evolution of the mobile phones or the mobile devices 
has been fueled by the demand of users for immediate access 
to the information they are looking for. For example, a 
traveler may request an exact flight schedule when he is on 
his way to airport, or a trader may purchase shares of stock 
at a certain price. The pertinent information from these ideas 
or transactions may include the airline and the flight number 
for the traveler as well as the number of shares and the price 
thereof being purchased by the trader. To be timely 
informed, a preferable way is to communicate the informa- 
tion requests electronically into the wireless data network. 
The data network, for example, connects to a flight infor- 
mation server or stock quote server so that the desired flight 
information or the current stock price can be retrieved 
therefrom on demand. However, it becomes troublesome or 
impractical to key in lengthy information queries electroni- 
cally into the data network through a mobile device that 
typically has a keypad with a few buttons, much less 
functional compared to a keyboard in a personal computer 
system. There is therefore a great need for a method and 
system for efficiently communicating desired transactions 
into a data network through which the transaction can be 
performed or pertinent information can be retrieved without 
the need to key in such every time the transactions or the 
information are desired. In many cases the desired informa- 
tion in a user account, especially regarding personal matters, 
is preferred to be confidential. Thus there is further a need 
for a generic solution that provides a method and means for 
self-provisioning an account entry to a user account that has 
the proprietary information therein accessible only through 
the account entry. 

SUMMARY OF THE INVENTION 

The present invention has been made in consideration of 
the above described problems and has particular applications 
to systems of self-authentication by authorized users using 
devices that have limited computing power. Cellular phones 
are the typical example that has very little computing power 
and memory to satisfy the power long lasting and portability 
requirement, others include Internet-enabled electronic 
appliances that generally have computing powers at a mini- 
mum so as to reduce the cost thereof for market popularity. 
All these devices, considered as thin devices or clients 
herein, in data networks, provide users with portable, 
convenient, and instant access to information being sought 
in the Internet; for example, retrieving a list of stock quotes 
using a mobile phone or viewing a list of interested news 
stations on Internet-connected TVs. In both examples, the 
mobile phone and a remote control of the TV have very 
limited user interface to receive inputs from users. One of 
the important aspects of the present invention is to provide 
a generic solution for communicating desired ideas or trans- 
actions from other devices with rich user interface to such a 
thin client through a self-provisioned account entry. 

While administrated user authentication systems over 
data networks have been used extensively in areas such as 
administered network computers and electronic commerce 
in the Internet, the present invention disclosing a method and 
system for self-provisioning, through a first device, e.g. the 
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cellular phone or the remote control, a rendezvous to ensure 
secure access to a user account by other devices through the 
rendezvous yields unexpected results. The administrated 
user authentication systems in computer networks generally 
require each account holder to remember his username and 5 
associated password. If the username and password were 
ever lost or forgotten, the corresponding account becomes 
abandoned or must be clarified by a system administer. The 
disclosed invention, however, allows a user to self-provision 
an account entry or a rendezvous with a set of credential 10 
information, which does not require the user to write down 
or remember the credential information in order to access his 
account. Further, the user is the only one who knows the 
credential information created in an authenticated and secure 
communication session for the rendezvous, thereby the 15 
account becomes truly proprietary. Moreover through the 
rendezvous, the present invention for the first time allows 
efficient means for communicating personalized information 
into a database by utilizing other computers running an 
HTML browser with more familiar graphic user interface 2 q 
while allowing a thin device running a micro browser to 
access the same personalized information stored in the 
database. 

According to one preferred embodiment of the present 
invention, a method for provisioning, through a thin device, 2 s 
a rendezvous to a user account in a server to ensure secure 
access to the user account by a networked computing device 
through the rendezvous having a URL, thereby the net- 
worked computing device can update managed information 
in the user account that is also accessible by the thin device, 30 
the method comprises: 

initiating a transaction signal by the thin device to the 
server; the thin device having a client identification 
associated with the user account in the server and 
running a micro browser supported by a first commu- 35 
nication protocol, wherein the transaction signal com- 
prises the client identification and the URL of the 
rendezvous; 

examining a communication session between the thin 
device and the server, wherein the session examination 40 
between the thin device and the server comprising: 
creating the communication session between the thin 
device and the server if the communication session is 
not in existence or is not valid; 
conducting mutual authentication between the thin 45 

device and the server; and 
generating session credential information for the ses- 
sion such that subsequent transactions between the 
thin device and the server are encrypted by the 
session credential information; and so 
establishing user credential information for the rendez- 
vous by the thin device; and 
associating the user credential information with the 
rendezvous to the user account in the server. 
Upon updating the user credential information to the 55 
rendezvous, the networked computing device with the cor- 
rect user credential information can go through the rendez- 
vous to the user account to edit, modify or update the 
managed information, e.g. a URL of a Web server, in the 
user account with a more convenient information entering 60 
means, such as an HTML browser. The thin device can 
immediately access the managed information, such as the 
specified URL, to retrieve pertinent information therefrom 
without the need to key in the URL that often has a number 
of alphabets. 65 

The system for secure access to a user account in a server, 
through a rendezvous identified generally by a URL, the 


rendezvous being exclusively designated to the user 

account, the system comprising: 
a data network comprising an airnet supporting a first 
communication protocol and a landnet supporting a 
second communication protocol, the landnet coupled to 
the server; 

a first client device, remotely located with respect to the 
server device and coupled to the airnet using a first 
communication protocol, having a client identification 
exclusively associated with the rendezvous and running 
a first browser; 

a second client device coupled to the landnet using a 
second communication protocol and running a second 
browser, 

means for mapping the first communication protocol to 
the second communication protocol and the second 
communication protocol to the first communication 
protocol; the first client communicating with the server 
via the communication protocol means; 

means for mapping the first communication protocol to 
the second communication protocol and the second 
communication protocol to the first communication 
protocol; 

means for creating an authenticated and secure commu- 
nication session between the first client device and the 
server through the data network; the session creating 
means comprising: 

means for requesting the session by the first client 
device to the server if the session is not in existence 
or is not valid; 

means for conducting mutual authentication between 
the first client device and the server; and 

means for generating session credential information for 
the session in creation; and 

means, by the first client and through the created 
session, for updating the rendezvous with user cre- 
dential information by a first browser such that the 
user account is accessible by the second client 
through the rendezvous with the user credential 
information. 

Accordingly, an important object of the present invention 
is to provide a generic solution for self-provisioning a 
rendezvous to a corresponding user account created and 
authorized in a server; 

Another object of the present invention is to provide a 
method and system for efficient and secure access to a user 
account by self-provisioning a rendezvous to the account as 
such any computer with a more convenient information 
entering means may update managed information in the 
account; and 

Other objects, together with the forgoing arc attained in 
the exercise of the invention in the following description and 
resulting in the embodiment illustrated in the accompanying 
drawings. 

BRIEF DESCRIPTION OF THE DRAWINGS 

These and other features, aspects, and advantages of the 
present invention will become better understood with regard 
to the following description, appended claims, and accom- 
panying drawings where: 

FIG. 1 shows a schematic representation of a data network 
in which the present invention may be practiced; 

FIGS. 2.a and 2.b illustrate a representation of system 
architecture of the present invention and a layout of a 
corresponding user account in a server in communication 
with a mobile phone and a PC; 
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FIG, 3 shows a typical example of a mobile device that network, each acting as a communication medium for data 
houses one portion of the linked and complied processes transmission therethrough. The airnet 102, in which trans- 
disclosed in the present invention; mission is via the air, is sometimes referred to as a carrier 

FIG. 4 illustrates a schematic representation of a mutual network because each airnet is controlled and operated by a 

authentication process between a mobile device and a host 5 earner, for example AT&T and GTE, each having its own 

server to ensure subsequent information transacted therebe- ™T A UD r CaU |? D ^"fifSt ^ CI ? PD '^? M ^ G , SM and 

tween is secured" TDMA for the airnet 102. The landnel 104 or the Internet, 

used interchangeably herein, may be the Internet, the Intra- 

FIGS. S.a and 5i> demonstrate a flowchart showing the net or other private networks. Referenced by 106 is a mobile 

corresponding processes in each of the involved devices, data device, but resembling a mobile phone therein, in 

respectively; and communication with the airnet 102 via an antenna 108. It is 

FIGS. 6, 7, 8, 9 and 10 illustrate, respectively, examples generally understood that the airnet 102 communicates 

of personal g a user account being accessed through a simultaneously with a plurality of mobile computing devices 

self-provisioned rendezvous. of which only a mobile or cellular phone 106 is shown in the 

figure. Similarly, connected to the Internet 104 are a plurality 

DETAILED DESCRIPTION OF THE 3S of desktop PCs 110 and a plurality of servers 112, though 

INVENTION only one representative respectively is shown in the figure. 

y .1 r it • j >| j j . 4 . - . t The PC 110, as shown in the figure, may be a personal 

In the following detailed description of the present ~* mmt *„ cm arwi <v mt?^ i • i a 

& . /» j » ■ i c it ■ j computer SPL 300 from NEC Technologies Inc. and runs a 

invention, numerous specific details are set forth in order to HTML Web browser via the Internet 104 using HTTP to 

provide a thorough understanding of the present invention. 20 access iD f orm ation stored in the web server 112 that may be 

However, it will become obvious to those skilled in the art a workstation from SUN Microsystems Inc.. It is understood 

that the present invention may be practiced without these by those skilled in the art that the PC 110 can store accessible 

specific details. In other instances, well known methods, information therein so as to become a web server as well, 

procedures, components, and circuitry have not been Between the Internet 104 and the airnet 102 there is a link 

described in detail to avoid unnecessarily obscuring aspects 25 server 114 performing data communication between the 

of the present invention. Internet 104 and the airnet 102. The link server 114, also 

The following detailed description of the present inven- referred to as link proxy or gateway, may be a workstation 

tion is presented largely in terms of procedures, steps, logic or a personal computer and performs mapping or translation 

blocks, processing, and other symbolic representations that functions, for example, communication protocol mapping 

resemble the operations of data processing devices coupled 30 from one protocol to another, thereby a mobile device 106 

to networks. These process descriptions and representations can be in communication with any one of the servers 112 or 

are the means used by those experienced or skilled in the art the PCs 110, respectively. 

to most effectively convey the substance of their work to The communication protocol in the Internet 104 is the 
others skilled in the art. The present invention is a method well known HyperText Transfer Protocol or HTTP and runs 
and system for self-provisioning a rendezvous through a thin 35 on TCP and controls the connection of a well known 
device to ensure secure access by other devices to informa- HyperText Markup Language Web browser, or HTML Web 
tion in a database in a data network. The method along with browser, to a Web server and the exchange of information 
the system or architecture to be described in detail below is therebetween. The communication protocol between the 
a self-consistent sequence of steps leading to a desired result mobile device 106 and the link server 114 via the airnet 102 
These steps or processes are those requiring physical 40 is Handheld Device Transport Protocol (HDTP), or Secure 
manipulations of physical quantities. Usually, though not Uplink Gateway Protocol (SUGP), which preferably runs on 
necessarily, these quantities may take the form of electrical User Datagram Protocol (UDP) and controls the connection 
signals capable of being stored, transferred, combined, of a HDML Web browser to a link server, where HDML 
compared, displayed and otherwise manipulated in a com- stands for Handheld Device Markup Language, it is similar 
puter system or electronic computing systems. It proves 45 to that of HTML and a set of commands or statements that 
convenient at times, principally for reasons of common specify how information is displayed. The specifications of 
usage, to refer to these signals as bits, values, elements, both HDTP and HDML, being considered as the wireless 
symbols, operations, messages, terms, numbers or the like. network standards, are provided at http://www.w3.org or 
It should be borne in mind that all of these similar terms are http://www.upla net. com and incorporated herein by refer- 
to be associated with the appropriate physical quantities and 50 ence. Further a reference specification entitled "Magellan 
are merely convenient labels applied to these quantities. SUGP Protocol", a HTTP specification with network secu- 
Unlcss specifically stated otherwise as apparent from the rity features is incorporated herein by reference as Appendix 
following description, it is appreciated that throughout the B. The HDTP is a session-level protocol that resembles the 
present invention, discussions utilizing terms such as "pro- HTTP but without incurring the overhead thereof and is 
cessing" or "computing" or "verifying" or "displaying" or 55 highly optimized for use in mobile devices that have sig- 
the like, refer to the actions and processes of a computing nificantly less computing power and memory. Further it is 
system that manipulates and transforms data represented as understood to those skilled in the an that the UDP does not 
physical quantities within the computing device's registers require a connection to be established between a client and 
and memories into other data similarly represented as physi- a server before information can be exchanged, which elimi- 
cal quantities within the computing device or other such as 60 nates the need of exchanging a large number of packets 
storage, transmission or display devices, during a session creation between a client and a server. 

Referring now to the drawings, in which like numerals Exchanging a very small number of packets during a trans- 
refer to like parts throughout the several views. FIG. 1 shows action is one of the desired features for a mobile device with 
a schematic representation of a data network 100 in which very limited computing power and memory to effectively 
the present invention may be practiced. 'Hie data network 65 interact with a landline device. 

100 comprises an airnet 102 that is generally called wireless Referring now to FIGS. 2. a and 2.6, there is depicted a 

network and a landnet 104 that is generally a landline representation of the architecture 120 of the present inven- 
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tion. As described above, the airnet 102 communicates mobile devices 122, 124 and 126 has a unique device ID that 
simultaneously with a plurality of two-way mobile coramu- corresponds to a user account in a server, respectively. It 
nication devices, 122, 124 and 126, generally from a group may be appreciated by those skilled in the art that the link 
consisting of mobile phones, two-way pagers and server 114 does not have to be a separate sever to perform 
telephones, such as a Duette cellular phone from Samsung s the communication protocol mapping, it can be just a part of 
Telecommunication America, Inc. Due to the increasing the host server 128 and the protocol mapping is a part of 
reduction in size and weight and high portability, most of the functions the host server 128 provides, 
mobile devices, considered as thin clients, have a very A corresponding account 144 in the database 130 is 
limited computing power, typically equivalent to less than indexed by an account structure 143 comprising the sub 
one percent of what is provided in a typical desktop or ao #142, user information 146, a username 148 and a password 
portable computer, the memory capacity in a thin client is 150. The sub #142 is received from the link server 114 as an 
generally less than 250 kilobytes and the LCD display index to the account structure 143, the user information 146 
thereof is perhaps four lines high by twelve or twenty comprises the account configuration and other account 
characters, the graphics capabilities thereof are very limited related information. The username 148 and the password 
or nearly nonexistent and the general user interface is a 15 150, namely the user credential information, control the 
keypad having far less buttons than a PC keyboard does. authentication to enter the account 144 in the database 130. 
Therefore many transactions desired by users through such From the data network perspective, any computer can logon 
clients are preferably predetermined or pre-entered in their through HTTP to the rendezvous 152 identified by an 
user accounts in a host server 128 as such the users need only address identifier, often a universal resource locator (URL) 
to select desired transactions to perform or at most key in 20 taking the form of www.xyz.com. In other words, each 
one or two letters corresponding to desired entries through account in a database is exclusively associated with a 
the keypads of their cellular phones. For example, if there is rendezvous identified by a unique URL. As shown in the 
a list of stock symbols of interest in a user account that is figure, the PC 110 establishes a communication session with 
designated to a mobile phone, a user of the mobile phone the rendezvous 152 based on a given URL of the rendezvous 
will not have to key in the symbols every time he desires to 25 152. However, to access the associated account 144 in the 
look up for the price thereof currently being traded in the database 130, the PC 110 must provide a set of correct 
stock market. The list of stock symbols is previously entered username and password to the rendezvous 152 that performs 
to the user account. Evidently the most available and con- a verification thereof with the account structure' 143. If the 
venient means for now is to use a computing device that has supplied username and password match those in the account 
powerful and full functional information entering capabili- 30 structure 143, the access requested by the PC 110 is allowed, 
ties. A PC is a typical example of such computing device, the Otherwise, the entry to the account 144 is denied. 
PC can be equipped with the well-known HTML browser The PC 110 can update information stored in the account 
that provides a rich graphic user interface and an ideal 144 when the supplied username and password are verified, 
environment for the user to manage his personalized infor- Using the powerful and familiar HTML browser in the PC 
mation in his account. 35 110, a user can key in frequently request information, such 
As is well known, the Internet 104 is typically a landline as a list of stock symbols and a list of URLs of Web servers 
network connecting computers that are provided the HTML that provide services to the phone 106. An example will be 
browser. Referenced by 110 is a PC representing one of the provided later. All the information entered through the PC 
computers that use the HTML browser running on HTTP to 110 becomes immediately available to the phone 106. 
hyperlink to other computers/servers 132 or 134 to update/ 40 A process named webpwd.cpp in the code listing in the 
fetch information on line or simply copy files therefrom. It appended Microfiche Appendix A illustrates a provisioning 
should be noted that "user account" and "database" have process between the phone 106 and the link server 114 in 
been used herein sometimes interchangeably when only one one embodiment of the present invention. Upon the request 
account is being addressed. It is generally understood that a of the phone 106, the process, specifically in a subprocess 
database or an allocation of memory, as referenced by 130 45 called sctNameAndPasswordStatcQ, allows the phone 106 
in the FIGS. 2.a and 2.6, hosts a plurality of user accounts, to supply a username and a password and then send the 
each designated to an authorized capacity in which managed newly supplied credential information to a second subpro- 
or personalized information is kept. Further it is understood cess called submitstate() that checks if the entered username 
that the database 130 can be an independent storage or and password are acceptable, namely the username and 
physically a part of the host server 128. To access the 50 password should have a certain length and contain no spaces 
personalized information therein from any computer on the or unrecognized characters with respect to a general rule of 
Internet 104, one has to provide an account entry, namely a being a username and password. If the username and pass- 
rendezvous, to a user account in the host server 128 or word are not acceptable, the subprocess submitState0 
database 130 with a set of credential information such as a returas to the phone 106 with a corresponding message 
username and a password thereof. FIG. 2.b illustrates a 55 being either "You must enter a name" or "You must enter a 
layout of a typical user account assigned with a mobile password". Otherwise, the newly entered username and 
phone 106. Each mobile phone is assigned to a device ID password are sent to another subprocess called 
140 which can be a phone number of the phone or a SctUscrAuthO in a process called HTTPDBMSUerDB. The 
combination of an IP address and a port number, for subprocess SctUscrAuthO updates the username and pass- 
example: 204.163.165,132:01905 where 204.163.165.132 is 60 word in the account structure 143, which immediately 
the IP address and 01905 is the port number. The device ID requires all subsequent logins to the account entry 152 with 
140 is further associated with a subscriber number (sub #) the newly supplied username and password. A subprocess 
142 authorized by a carrier in the link server 114 as part of Authenticate^ examines a set of username and password 
the procedures to activate the phone 106. The sub # may take supplied by the PC 106, it compares the username and 
the form, for example, of 861234567-10900_ 65 password from the PC 110 to the ones in the account 
pn.mobile.atl.net by AT&T Wireless Service, it is a unique structure 143. If the comparison is successful, the subpro- 
identification to the phone 106. In other words, each of the cess AuthenticateQ returns a AuthPass flag that allows the 
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PC 110 to access the account in the database. Otherwise, it representing a link server 114 of FIG. 2, initiates a SR 174 

returns a flag that denies the admission of the PC 100 to the to be sent to the server 172 by first creating a client 

account. proto-session. A client proto-session is a session data struc- 

It should be noted that the communication between the ture that gets initialized when a session creation starts. The 

phone 106 and the link server 114 is through the airnet 102 5 initialized SR 174 comprises the following essential infor- 

in FIG. 1. Message carrying proprietary information travel- mation: 

ling in the air is not secure. To transact credential informs- sessionID-an identifier identifying all requests from the 

tion over the open space to provision the rendezvous, user dfcm t0 lhc m the case of rcqucsting a session 

must have an efficient, reliable and secured manner to sessionID is al assi d lo 0; 

conduct private communications with the link server. 30 • . u * u *• lL u • c.u 

a j- . ij« * r «u . • cipher — a two-byte number representing the choice of the 

According to one embodiment of the present invention, an r t , J 4 . r . ? . 

. • .* . j j . ^ .u 11 1 u encryption the client is currently using as there arc a 

authenticated and secure session between the cellular phone 1 c . , -, . , . 

in* u„u ca „,„ r ^^A u« ;« „i™ w-r™ .k- number of encryption schemes available in a commu- 

106 and the link server 114 must be in place before the nication rotocol* 

cellular phone, provisions the rendezvous through which the 1 P » 

user accesses his/her account from other computers. It is 35 devacelD-a variable up to 255-byte, representing the 

necessary to refer to an architecture of a mobile phone device ^entifier or the client identifier, comprising a 

before proceeding with the detailed description of creating P hone number of the device or an IP address and a P° rt 

the authenticated and secure communication between a number, e.g. 204.163.165.132:01905; and 

user's phone (client) and a server. FIG. 3 is a block diagram C-nonce — a client nonce represented with a non- 

of a typical GSM digital cellular phone 160. Each of the 2 o repeatable number, usually 2 bytes, used for the client 

hardware components in the cellular phone 160 is known to to conduct a following server authentication, 

those skilled in the art and so the hardware components are C-nonceModified — a modified version of the client 

not to be described in detail herein. Although the user nonce, used for the server to conduct a nonce verifi- 

interface of the phone 160 is not shown in detail in the cation in the following client authentication, 

figure, the mobile device 118, resembling a cellular phone, 2 5 Further the cipher in the SR 174 includes an identifier to 

in FIG. 1 may be referenced thereto, in which referenced by an encryption algorithm and associated parameters thereof. 

116 is a LCD screen and 118 is a key button pad, respec- To be more specific, the first byte in the cipher represents an 

lively. The screen 116 prompts user what to proceed with the identifier to a combination of the encryption algorithm, the 

keypad 118, with a sequence of key entries and through the key size (e.g. 128-bit for US or 40-bit for foreign countries) 

phone 160, a user can interactively communicate with a 30 and content of a security attachment thereto and the second 

server through the airnet, link server and the Internet. byte in the cipher indicates the additional parameters related 

According to one embodiment of the present invention, to the first byte. For example, value 1 in the first byte 

complied and linked processes of the present invention are indicates that the encryption algorithm is block cipher RC5, 

stored in ROM 162 as a client module 164 and support the key size thereof is 128 bit, a two byte check-sum therein 

module 166. Upon activation of a predetermined key 35 is used as the MAC (Message Authentication Code), no IV 

sequence utilizing the keypad 118, a physical layer proces- (Initialization Vector for block ciphers) therefor is transmit - 

sor or microcontroller 118, initiates a session communica- ted over the network, and padding bytes are added if 

tion to the server using the module 164 in the ROM 162. necessary. The block cipher algorithm RC5 is part of the 

To establish a secured communication between a cellular RSA's BSAFE product. It can be further appreciated that the 

phone (a client) and a server, an authentication process must 40 identifier in the cipher may be assigned to a unique value to 

be conducted first to ensure that only interested parties are identify a non-secure session if so desired. The C-nonce is 

actually in the communication therebetween. According to a non-repeatable number initially and randomly generated in 

one embodiment of the present invention, the code listing the client and the modified version thereof, 

thereof being provided in the appended Microfiche C-nonce Modified, is generated from the C-nonce through an 

Appendix, the process is complete through two rounds of 45 operational relationship; for example the Exclusive-OR rela- 

independent authentication, one being the client aulhenti- tionship or expressed as follows: 
cated by the server, referred to as client authentication, and 

the other being the server authenticated by the client, c-nonceModified-2-byte-numbei©c-nona. 
referred to as server authentication. Further each authenti- j t can be appreciated by those who are skilled in the art that 
cation is completed in two separate steps for high grade of 50 there are many ways to get the C-nonceModified from a 
security, which will be described in detail below. The C-nonce, the Exclusivc-OR is one of the operational rcla- 
success of the mutual authentication processes provisions an tionships used in one embodiment of the present invention, 
evidence that the two communicating parties possess a valid Both C-nonce and C-nonceModified are encrypted using the 
shared secret encrypt key through a mutual decryption and shar ed secret encrypt key between the client 170 and the 
a challenge/response mechanism. The mutual decryption 55 server 172. The purpose of the C-nonceModified is to 
mechanism comprises the steps of mutually recovering provide the server that receives the SR with means for 
encrypted messages from two involved communicating par- ensuring that C-nonce is correctly decrypted and validated 
ties. The challenge/response mechanism, referred to as by examining the C-nonce and its relationship with the 
nonce verification, verifies a predetermined relationship C-nonceModified. Both should not be altered after a sue- 
between a sent nonce and a received derivative thereof. 6 0 cessful decryption of the C-nonce and the C-nonce Modified. 

In one preferred embodiment of the present invention, the In other words, a SR message or signal may be expressed as 

authentication process is conducted with three message follows: 
exchanges; a Session Request (SR), a Session rePly (SP), 

and a Session Completion (SQ. FIG. 4 illustrates a sche- SR- {session id, cipher, device ID, Encry[nonce, 

matic representation of the authentication process. The cli- 65 nonce. 1 c jj, 

ent 170, representing a mobile device or the cellular phone where Encryf ] means that the parameters or contents in the 

106 of FIG. 1, to conduct a transaction with the server 172, bracket are encrypted accordingly. When the SR is sent by 
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the client to the server to request a session creation, both 
C-nonce, C-nonceModified are encrypted according to the 
cipher the client is using at the time the SR is sent out. 

Upon receiving the SR from the client 170, the server 172 
creates a server proto session for the client 170 with a 5 
session identifier, referred to as session ID, to identify the 
session context for the session just created in the server 172. 
A server proto-session is a session entry marked as a proto 
status in a session table, which indicates that the session is 
not authenticated and is not able, to conduct any transactions 3Q 
with the client. It is understood to those skilled in the art that 
the proto-session can be kept in the RAM of the server. If a 
proto-session already exists for that client, it is re -used. The 
information in the received SR is saved in the server 
proto-session. If the server 172 is satisfied with the fact that 
the client is known, namely Encry[C-nonce, 15 
C-nonceModified] in the received SR are successfully 
decrypted with the shared secret encrypt key, the step one in 
the client authentication is successful and a corresponding 
session key is generated and stored with the server proto 
session entry. It may be noted herein that many encryption 20 
schemes used in this invention, such as the scheme utilizing 
RC5, have a procedure that adds and validates the Message 
Authentication Code such as the check-sum, to assure that 
the encrypted message is correctly decrypted, the procedure, 
every time the decryption takes place, is used herein to 2 5 
examine the transaction integrity, namely to assure the 
received messages or signals are unaltered in the cause of 
data transmission. If the step one client authentication is not 
successful, namely Encry[C-nonce, C-nonceModified] in 
the received SR are not fully decrypted or supported, the 
proto session is aborted and removed from the proto session 
table, resulting in a failed session creation. What the support 
means herein is the cipher proposed or used by the client is 
also used by the server, for example the client uses the RC5 
encryption to encrypt Encry[ C-nonce, C-nonceModified], to 
decrypt Encry[ C-nonce, C-nonceModified], the server must 35 
be equipped with the same RC5 encryption capability 
therein. If Encry[C-nonce, C-nonceModificd] can not be 
successfully decrypted due to other reasons such as trans- 
mission errors, the client must reinitiate a new session 
request to the server in order to establish a secure commu- 40 
nication with the server. To challenge the step two server 
authentication subsequently at the client side, a derivative of 
the client nonce or C-nonce, is generated therefor. In one 
embodiment of the present invention, the derivative is 
created by adding a constant to the client nonce, for example 45 
derivative «C- no nee +1. The purpose of the derivative is to 
provide the client with means for reassuring that the 
C-nonce is correctly decrypted by the server and the server 
is the correct server with which the client should be in 
communication. 50 

Right after the successful step one client authentication, 
the server 172 responds to the client with a Session rePly 
(SP) 176 to begin a second round authentication; server 
authentication. The SP 176 comprises the following infor- 
mation: 55 

C-SID — a one byte number indicates the sessionID origi- 
nally assigned in the client, to be more specific 
C-SID«0 indicates a clear text client session, C-SID-1 
indicates a shared secret key encrypted session, and 
C-SID-2 indicates a session key encrypted session. In 60 
the context of the current description, C-SID«1. 

sessionID — a four-byte number representing an identifi- 
cation and parameters, such as a session encrypt key, of 
the session created by the server for the client; 

key — a session key to be used with a mutually acceptable 65 
encryption, and to be used for encryption and decryp- 
tion in all transactions in the session; 
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derivative — a number derived from the C-nonce for the 
client to perform the subsequent server authentication; 

S-nonce — a non-repeatable number, used for the server to 
conduct a following step-two client authentication; it 
should be noted that S-nonce is generated by the server 
and generally different from the C-nonce by the client; 
and 

cipher — a two -byte number representing the choice of the 
encryption the server proposes after the client proposed 
cipher is received, It may or may not be the same as the 
one used in the client, to be more specific, the cipher is 
the same as the one proposed by the client when the 
server supports the client proposed cipher, otherwise 
the cipher is the one currently used in the server. 

In other words, the SP can be expressed as follows: 

SP-{C-SID, EncryfsessionID, key, S-nonce, derivative, cipher]}; 

When the client 170 receives the SP 176 from the server 172, 
it performs the step one server authentication, which is 
considered successful if Encry[sessionID, key, S-nonce, 
derivative, cipher] in the received SP 176 is decrypted 
successfully with the shared encrypt key. If the step one 
server authentication fails, the client 170 discards the SP 176 
and a new session creation may be started over again. Upon 
the success of the step one server authentication, the client 
170 proceeds with the step two server authentication; 
namely the predetermined relationship between the C-nonce 
and the derivative thereof should be held for a successful 
step-two server authentication: 

C-nonce»derivative-l 

If the C-nonce derived from the SP 176 is the same as the 
C-nonce originally generated by the client, the step two 
server authentication is successful, hence the server 172 is 
considered authenticated, trusted from the viewpoint of the 
client, and the SP 176 is accepted as a valid message, which 
means that the client 170 then uses the session key and other 
information in the SP 176 for the session being created. Only 
with both successful steps of the server authentication, the 
client 170 marks the session as committed, which means that 
transactions can be conducted subsequently in the session, 
again only from the viewpoint of the client 170. If the 
predetermined relationship between the client nonce and the 
derivative thereof does not hold, the step two server authen- 
tication fails and the received SP 176 is discarded. The client 
170 may abort the session creation process if no further SP's 
are received and pass both steps of the server authentication 
during the time period allowed for a session creation. To 
provide the server with means for reassuring the client 
authentication by itself through the client, a derivative of the 
S-nonce, similar to the derivative of the C-nonce, is gener- 
ated. 

The client 170 then sends the server 172 a SC 178 to 
complete the session creation process. The SC 178 com- 
prises the following information: 

SO { Encrylde rivati ve] }; 

where the derivative is the client's response to the server 
nonce challenge, namely the result of the verification, the 
derivative is used by the server 172 for step two client 
authentication. Further it is noted that the SC 178 is an 
encrypted message, meaning that the client encrypts the 
information in the SC 178 according to either its own cipher 
or the server proposed cipher. Generally the client 170 
encrypts the information in the SC 178 according to the 
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server proposed cipher if it accepts the server proposed verified at 262, that means that the device 200 has an 

cipher, otherwise, it encrypts the SC according to its own authorized account therein. At 208 and 264 respectively, a 

cipher. mutual authentication process between the client 200 and 

Upon receipt of Session Complete or SC 178, the server server 250 takes place. As described above, the mutual 

172 tests if the client 170 uses its own proposed cipher or the 5 authentication process comprises a client authentication and 

server proposed cipher by decrypting the SC twice using the a server authentication, each further comprising two respec- 

two ciphers if necessary. If the server 172 decrypts the tive steps to ensure that the communicating party is authen- 

encrypted message in the SC 178 and verifies the relation- ticated. Resulting from the mutual authentication processor 

ship thereof with the S-nonce, the step two client authenti- once the session is created and authenticated at 210 and 266 

cation is succeeded. Subsequently the server 172 promotes no of the client 200 and the server 250, respectively, a set of 

the server proto session to the active session and the session session credential information is generated. The session 

creation process is completed, thereby an authenticated and credential information comprises a session ID, a session key 

secure communication session is established between the and a session cipher. The session ID is used to distinguish 

client and the server. Any transactions in the established the session from other sessions that the host is creating or 

communications session are now encrypted by the session is has already established with other mobile devices or clients, 

key created in the server according to a cipher mutually and the session key and the session cipher are to encrypt 

agreed by both the client and the server, thereby the trans- transactions between the client 200 and the server 250. At 

actions between the client and the server are truly propri- 212, the client 200 is acknowledged that there is a rendez- 

etary. A code listing of one embodiment of the mutual vous associated with the account designated to the phone 

authentication is listed in the Appendix A. 20 250. If the user desires to update his personalized informa- 

Referring now to FIGS. 5. a and 5.b, each illustrates a lion in the account created and authorized in the server 250, 
flowchart showing the processes of the present invention in he may proceed at 214 with the rendezvous that is generally 
each involved device, respectively, in conjunction with identified by a URL provided by the host 250 and is 
FIGS. 6, 7, 8, 9 and 10 demonstrating examples of person- subsequently prompted for a set of user credential 
alizing a user account being accessed through a self- 25 information, such as a useraame and a password. At 216, the 
provisioned rendezvous. A client 200, which can be a user credential information is entered. The credential infor- 
cellular phone, in FIG. 5.a is one of the mobile devices mation is then sent to the host 250 at 218, which includes a 
communicating with a server 250 in FIG. 5. b through a data process of ensuring the newly supplied username and pass- 
network that is not shown in these figures but illustrated in word satisfy a general rule of being a username and a 
FIG. 1 or FIGS. 2.a and 2.b. It should be noted that the 30 password. The username/password ensuring process has 
server 250 functions as a link server and a host server. The been discussed above and the code listing thereof is in 
functional flowcharts on the client and server sides are Appendix A. Meanwhile the host 250 has acknowledged that 
conjointly described in the following with respect to a the client 200 is about to receive a set of new user credential 
cellular phone. Nevertheless it will be appreciated by those information and expects it therefrom at 268. As soon as the 
skilled in the art that a server, without reciting specifically a 35 new user credential information has arrived, the server 250 
link server or a host server, as referenced by 250 can perform updates the user credential information associated with the 
similar functions, this becomes evident when the client is a rendezvous at 270. In other words, to pass through the 
landline device having direct communication to the Internet. rendezvous to the user account now by other devices, the 

As part of the procedures to activate a cellular phone, a new credential information must be provided, 
user account, or sometimes called device account, is created 40 With the newly updated user credential information, the 
in the server 250, the account is exclusively associated with user can now log onto the rendezvous from any computer in 
the phone or client 200. In other words, each mobile device the data network. A PC, which is not shown, connected to the 
in the data network has its own account identified by a data network, is equipped with a familiar HTML-based 
corresponding device ID and subsequently a sub # in the browser, preferably from Netscape Communication Corpo- 
servcr 250. The account for the client 200 is therefore 45 ration or Microsoft Corporation. As an example, it is 
created and configured at 252 according to services sub- assumed that a user has just provisioned a rendezvous with 
scribed by the client 200. Meanwhile a corresponding a username being "marylee" and the corresponding pass- 
account structure, similar to 143 in FIG. 2b, is initiated at word being "123456". The user now goes to a networked PC 
254. With an established account in the server 250, the client that runs a Navigator browser from Netscape Communica- 
200 becomes one of the clients capable of communicating 50 tion Corporation and logs onto the rendezvous based on the 
with any computers in a data network. URL of the rendezvous. FIG. 6 shows an interactive web 

When a user desires to update his personalized informa- page 300 received from the server 250 after the PC made the 

tion in his account, he needs to first self-provision the connection to the rendezvous. It is understood to those 

rendezvous associated with his account using the client 200. skilled in the art that the page and subsequent pages can be 

The phone therefore requests a communication session to 55 constructed with HTML along with CGI script/Java applets, 

the server 250 at 202 for subsequent transactions to take where the process, CGI stands for Common Gateway 

place in an authenticated and secure communication session. interface, to receive information entered from a user. To 

From the session creation described above, it can be appre- update his personalized information in his account, the user 

ciatcd that the session creation requested by the client 200 must provide the newly created username and password 

includes a piece of device information assigned to the client 60 required at 302 and 304. It should be noted that the password 

200. If, at 204 and 206, the device information sent to the entered is generally not echoed at 304 and instead indicated 

host is not recognized by the contacting host 250, no with a asterisk corresponding to a letter entered. When the 

communication session can be possibly established therefor. login icon 306 is activated, the entered username and 

Meanwhile the host 250 receives the session request from password are retrieved and sent, through the network, to the 

the client 200, as part of the session creation process, the 65 server 250 in which the entered username and password are 

device information is examined at 260 and the session verified; namely the entered useraame and password match 

creation process proceeds when the device information is those entered and authorized by the user through the client 
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200. The user is then prompted with a second web page 310 
shown in FIG. 7 in which the username is displayed as 
referenced by 312. To categorize personalized information 
in the account, the web page 310 comprises entries to other 
specific service pages, such as Personal Organizer 314, 5 
Bookmarks 316 and Create a Message 318. All these pages 
are accessible by the user to personalize his desired infor- 
mation therein. FIG. 8, for example, is a page 326 of the 
Personal Organizer 314 showing a personalized address 
book 320 that allows the user to edit his frequently contacted 
people's phone numbers and other information. FIG. 9 is a 
page of the Bookmarks 316 that allows the user to establish 
a list of web sites he may frequently visit through his cellular 
client 200, for example, StockTIPS referenced by 322 
allows the user to keep a list of stock symbols there. With the 
personalized bookmarks, the user, when on the go, can 15 
quickly enter into the web pages having his list of the stock 
symbol to look up for the prices thereof currently being 
traded in the stock market without keying in any symbols at 
all. As a convenient feature, the page 330 in FIG. 10 allows 
the user to create an email message and be replied to a 20 
different address at 332 decided by the user, which elimi- 
nates the inconvenience of typing a lengthy message through 
a phone keypad and reading a replied message at the small 
screen in the client 200. 

The contents in the exemplary pages respectively shown 25 
in FIGS. 6, 7, 8, 9 and 10 composed by HTML are accessible 
by an HDML browser through a server providing commu- 
nication protocol mapping and markup language translation 
functions. Similarly information or messages entered on the 
client 200 composed by HDML are equally accessible by 30 
any computer equipped with an HTML browser through the 
same server in the data network. The duality of the infor- 
mation updating through two different mark-up languages 
provides a useful means for efficiently managing a personal 
account and solves substantially the problems of inconve- 35 
nient data entry through a less functional keypad. 

The present invention has been described in sufficient 
detail with a certain degree of particularity. It is understood 
to those skilled in the art that the present disclosure of 
embodiments has been made by way of example only and 40 
that numerous changes in the arrangement and combination 
of parts as well as steps may be resorted without departing 
from the spirit and scope of the invention as claimed. For 
example, any mobile devices equipped with a micro 
browser, e.g. HDML browser, may be connected, using an 45 
adapter, to the Internet directly without going through the 
airnet, the emerging Internet-enabled electronic appliances 
are also Internet-connected, all have limited computing 
powers and keypads but are capable of communicating with 
a server in a data network. The mutual authentication 50 
between such devices and the server thus becomes less 
complicated. The mutual authentication needs a process of 
having the client, such as a controller of the electronic 
appliance, authenticated by the server and having the server 
authenticated by the client. The process can be carried out in 55 
existing encryption mechanisms in HTTPS (an extended 
version of HTTP with built-in security), in which case, the 
link server could be replaced by a built-in capability in the 
device, or the HTTPS or the transceiver or somewhere in the 
connection to the Internet. The principles of the present 60 
invention may still be practiced in such configuration. 
Accordingly, the scope of the present invention is defined by 
the appended claims rather than the foregoing description of 
one embodiment. 

What is claimed is: 65 

1. A method for accessing managed data contained in a 
data network system, the method comprising: 
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executing a first set of program instructions in a wireless 
telephone of a subscriber, the wireless telephone having 
a display screen and being in communication, over a 
wireless data network, with a server hosting the man- 
aged data, the managed data being uniquely associated 
with the wireless telephone of the subscriber and being 
accessible by a computing device executing a second 
set of program instructions and coupled to the server 
through a wired data network, the computing device 
being able to alter the managed data at the server via the 
wired data network, wherein the wireless data network 
and the data network utilize a first communication 
protocol and a second communication protocol, respec- 
tively; 

sending a request to the server to retrieve the managed 
data after activation of a predefined key of the wireless 
telephone; 

receiving, at the wireless telephone, the managed data 
from the server via the wireless data network, the 
managed data being presented in a first markup lan- 
guage interpretable by the first set of program instruc- 
tions when presented to the wireless telephone and 
being presented in a second markup language interpret- 
able by the second set of program instructions when 
presented to the computing device; and 

displaying the managed data on the display screen of the 
wireless telephone. 

2. The method as recited in claim 1, wherein the managed 
data comprises an address book and bookmarks entered 
from the computing device executing the second set of 
program instructions. 

3. The method as recited in claim 1, wherein the first 
markup language is the same as the second markup lan- 
guage. 

4. The method as recited in claim 1, wherein the first 
markup language is Handheld Device Markup Language 
(HDML) and the , second markup language is Hypertext 
Markup Language (HTML). 

5. The method as recited in claim 1; wherein the request 
comprises an address identifier identifying the server. 

6. The method as recited in claim 5, wherein the address 
identifier is a universal resource locator (URL). 

7. The method as recited in claim 1, 

wherein the managed data comprises a plurality of select- 
able hyperlinks, each of the hyperlinks providing 
access to a resource in the data network; and 

wherein the displaying comprises displaying at least one 
of the selectable hyperlinks on the display screen of the 
wireless telephone using the first set of program 
instructions. 

8. The method as recited in claim 7, wherein the first set 
of program instructions is included in a first browser being 
operated in the wireless telephone and the second set of 
program instructions is included in a second browser being 
operated in the computing device. 

9. The method as recited in claim 8, the method further 
comprising: 

sending a new request from the wireless telephone to the 
server using the first set of program instructions to fetch 
information identified by one of the hyperlinks when 
the one of the hyperlinks being displayed is selected. 

10. A method for accessing data contained in a data 
network system, the method comprising: 

hosting, at a server, data associated with an account for a 
wireless telephone having a display screen, the data 
comprising a plurality of information categories and 


03/18/2004, east version: 1.4.1 


US 6,233,608 Bl 

17 18 

being accessible by a computing device remotely wherein the managed data is personalized information of 

located and coupled to a data network selected from a the user. 

group consisting of the Internet, a private network and 21. A method as recited in claim 16, wherein said method 

a network of private networks; further comprises: 

receiving a request from the wireless telephone through a 5 altering the managed data being stored at the server based 

wireless data network to access the data, the request on the user in P ut from the wireless computing device. 

comprising a selection of one of the information cat- 22 ' A . mc ! hod ^ rcciled in ' laim 16 > wherein the wired 

eeories* computing device is a personal computer. 

. . ' . ,i, 23. A method as recited in claim 16, wherein said per- 

retneving information pertaining.to the selected category miuing access l0 the managed data ^ a secure man ner via 

if such information is co-located with the account and tne wireless computing device comprises: 

after the request is authenticated with respect to the authenticating the wireless computing device to the 

account; and server- and 

forwarding the information to the wireless telephone in a authenticating the server to the wireless computing 

first format displayable on the display screen of the device. 

wireless telephone. 24. A method as recited in claim 16, wherein the wired 

11. The method as recited in claim 10, wherein the request computing device is a personal computer having a standard 
is an update to the one of the information categories and size keyboard, and the wireless computing device is a small, 
causes the data to be updated with the update. handheld device having a telephone-type keypad, 

12. The method as recited in claim 10, further comprising: 25. A method as recited in claim 24, wherein the managed 
prompting the computing device for credential informa- 2 ° data represents frequently requested data, thereby improving 

tion when the computing device accesses the data; ease of f us 1 e °£ the wireless computing device by allowing 

... , . , f , - . entry of the frequently requested data through use of the 

providing access to the data in z t second format after the standard ^ k ? bodL / df yc 4 t being for use by the wireless 

credential information is verified; and computing device, 

updating the data upon receiving updated information 25 26. A method as recited in claim 16, wherein the wired 

from the computing device. computing device is a personal computer having a substan- 

13. The method as recited in claim 12, wherein the first tially more powerful user input mechanism than the wireless 
format is in a first markup language and the second format computing device which is a small, handheld device, 

is in a second markup language. wherein the managed data represents frequently requested 

14. The method as recited in claim 10, wherein the data 30 data, and 

comprises a plurality of hyperlinks, and the selected cat- wherein said method improves ease of use by allowing 

egory is one of the hyperlinks; and wherein the retrieving entry of the frequently requested data through use of 

further comprises: the more powerful input mechanism of the wired 

contacting a resource identified by the one of the hyper- computing device, yet the frequently requested data so 

links over the data network; 35 entered being for use by the wireless computing device, 

fetching the information in a second format from the 27 A method as recited in claim 26, wherein a user input 

resource* and mechanism for the wireless computing device has ambigu- 

. ' . - . 4 , , r ous keys that require several key strokes to input a particular 

converting the respective information m the second for- key> whereas the more inpu , mec non . 

^VmemocVreched in claim 14, wherein the first <° J^^ 58 ^ ^ ' Sing,e keySlr ° ke l ° ^ * 

forma, is a first markup language and the second format is 2JJ A me(hod as in ^ u ^ 

a second markup language computing device is a cellular telephone. 

16 A method for interacting w.th managed data from a 29 A method as ^ fa M £ 2g whefein ^ wire(J 

wireless > computing dcv.ee or a w,rcd computing device, the uti dcvicc ^ a uter 

managed data being stored on a server coupled to a data M A mc , hod ag ^ in whcrcin sajd 

network, said method comprising: .... M t , . 4 . r . 

r & muting access to the managed data in a secure manner via 

permitting access to the managed data in a secure manner lhe wired comp uting device uses a self-provisioning ren- 

via the wired computing device; dezvous. 
receiving user input from the wired computing device; 50 31. A method as recited in claim 30, wherein the self- 
altering the managed data being stored at the server based provisioning rendezvous is accessed by an address identifier. 

on the user input from the wired computing device; and 32. A method as recited in claim 31, wherein the address 

thereafter permitting access to the managed data in a identifier is a universal resource locator (URL). 

secure manner via the wireless computing device and 33. A computer readable medium containing program 

then forwarding the managed data to the wireless 55 c °de for accessing data contained in a data network system, 

computing device for use therein. tne computer readable medium comprising: 

17. A method as recited in claim 16, wherein the managed first program code for displaying the data on a display 
data is used on the wireless computing device to generate screen of a wireless device, the data comprising a 
screen displays on a display screen of the wireless comput- plurality of selectable information categories and 
ing device. 60 hosted in a server with at least one of the information 

18. A method as recited in claim 16, wherein the managed categories hyperlinking to a resource on a data 
data comprises at least one of address book data and network, the data also being accessible though a com- 
bookmark data. puting device remotely located and coupled to the data 

19. A method as recited in claim 16, wherein the managed network; 

data comprises user account data. 65 second program code for receiving a selection of one of 

20. A method as recited in claim 16, wherein the wireless the information categories when the one of the infor- 
computing device is associated with a user; and mation categories is selected by a user; 
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third program code, executable in response to the 
selection, for sending a request for information identi- 
fied by the selection to the server; 

fourth program code for receiving the information from 
the server in a first format; and 

fifth program code for displaying the respective informa- 
tion on the display screen. 

34. The computer readable medium as recited in claim 33, 
wherein the selection is made through a keypad with refer- 
ence to the information categories being displayed on the 
display screen. 

35. The computer readable medium as recited in claim 33, 
wherein the first format is a markup language. 

36. The computer readable medium as recited in claim 33, 
wherein the computer readable medium further comprises: 

sixth computer program code for receiving updated infor- 
mation entered from a telephone keypad; and 

seventh computer program code for sending the updated 
information to the server, the data being updated with 
the updated information. 

37. A computer readable medium containing program 
code for accessing data in a data network system, the 
program code comprising: 

a first program code for receiving a request, through a 
wireless data network, sent from a first browser being 
executed in a wireless telephone to access the data 
hosted in a database; the data associated with the 
wireless telephone and being accessible via a second 
browser executing on a computing device coupled to a 
data network that is part of the data network system; 

a second program code for authenticating the request with 
respect to an account associated to the wireless tele- 
phone; and 

a third program code for forwarding the data in a format 
supported by the first browser, through the wireless 
data network, to the wireless telephone. 

38. The computer readable medium as recited in claim 37, 
wherein the request comprises an identification identifying 
the wireless telephone; and the program code further com- 
prises a fourth program code for verifying if the wireless 
telephone is authorized by comparing the identification with 
the account. 

39. The computer readable medium as recited in claim 37, 
wherein the request comprises credential information; and 
the program code further comprises a fourth program code 
for verifying if the wireless telephone is authenticated by 
comparing the credential information with the account. 

40. The computer readable medium as recited in claim 37, 
wherein the first browser is executed by a processor of the 
wireless telephone, and further wherein the processor con- 
trols a telephony function of the wireless telephone. 

41. The computer readable medium as recited in claim 37, 
wherein the data includes a plurality of hyperlinks, each 
providing a link to a resource in the data network. 
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42. The computer readable medium as recited in claim 41, 
wherein if the request indicates one of the hyperlinks, the 
program code further comprises: 

a fourth program code for retrieving information identi- 
5 fied by the one of the hyperlinks from the data network. 

43. The computer readable medium as recited in claim 37, 
wherein if the credential information is different from an 
existing credential information after the wireless telephone 

1Q is authenticated, the program code further comprises a fourth 
program code for updating the account with the new cre- 
dential information. 

44. The computer readable medium as recited in claim 43, 
wherein the new credential information must be provided 

25 when the second browser executing on the computing device 
attempts to access the data. 

45. The computer readable medium as recited in claim 44, 
wherein the format is in a first markup language supported 
by the first browser and the data is in a second markup 

20 language supported by the second browser. 

46. The computer readable medium as recited in claim 45, 
wherein the second markup language provides a graphic 
user interface so that said data can be updated from the 
computing device. 

25 47. A wireless telephone for accessing data in a data 
network system the wireless telephone comprising: 
a display screen; 

a memory containing a set of program code for a first 
browser; 

30 a processor, coupled to the display screen and the 
memory, executing the set of program code to enable 
the first browser to perform operations of: 
sending a request to retrieve the data from a wireless 
data network, the data being hosted in a server 
35 coupled between the wireless data network utilizing 

a first communication protocol and a data network 
utilizing a second communication protocol; 
receiving the data presented in a first markup language; 
displaying the data on the display screen; and 
40 wherein the data is accessible by a computing device 
operating a second browser and coupled to the data 
network, and wherein the data presented to the 
computing device is in a second markup language. 

48. The wireless telephone as recited in claim 47, wherein 
45 the request comprises an identifier identifying the wireless 

telephone so that the wireless telephone can be authenticated 
by the server when the request is received. 

49. The wireless telephone as recited in claim 47, wherein 
the first markup language and the second markup language 

50 are the same. 

50. The wireless telephone as recited in claim 47, wherein 
the processor controls a telephony operation of the wireless 
telephone. 

* * * * * 
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